userAccountControl in AD is a bitmask.

You are sending a specific value, which might or might not work.
However, what you should be using are the pseudo attrs that represent
each bit in the mask.

It is in an odd part of the docs in my mind, but you can find the list here:
https://www.netiq.com/documentation/...a/bp8d4f4.html

Section 2.5.2 in the docs. Also note some are Read-only as well.

The one you want is:
dirxml-uACAccountDisable and set it to false or true as you desire.



On 5/30/2012 12:26 PM, ccandotti wrote:
>
> Hello, i'm a new in the consultor world.
>
> i'm trying to unlock AD accounts with IDM, i create a policy and put it
> in the AD Driver set.
>
> The policy is this:
>
> <?xml version="1.0" encoding="UTF-8"?><policy>
> <rule>
> <description>Reset Lockout</description>
> <conditions>
> <and>
> <if-op-attr name="Description" op="changing"/>
> </and>
> </conditions>
> <actions>
> <do-add-dest-attr-value name="userAccountControl">
> <arg-value type="int">
> <token-text xml:space="preserve">512</token-text>
> </arg-value>
> </do-add-dest-attr-value>
> </actions>
> </rule>
> </policy>
>
> But, when the user is locked and i change the description, it shows
> this error:
>
> DirXML Log Event -------------------
> Driver = \BAPRO\system\driverset1\Active Directory Driver
> Thread = Publisher Channel
> Level = success
> DirXML: [05/30/12 09:39:40.81]: ADDriver: Publisher Poll
> DirXML: [05/30/12 09:39:40.81]: ADDriver: get object changes - 0x0000
> DirXML: [05/30/12 09:39:40.81]: ADDriver: object changes complete
> DirXML: [05/30/12 09:39:51.36]: Loader: Received 'subscriber execute'
> document
> DirXML: [05/30/12 09:39:51.36]: Loader: XML Document:
> DirXML: [05/30/12 09:39:51.36]:<nds dtdversion="4.0"
> ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <modify cached-time="20120530123950.850Z" class-name="user"
> event-id="novell#20120530123950#1#1:eda4cdd0-5753-4437-45b8-d0cda4ed5357"
> qualified-src-dn="O=data\CN=idmprueba4" src-dn="\BAPRO\data\idmprueba4"
> src-entry-id="33450" timestamp="1338381590#8">
> <association
> state="associated">e550918f562dc646b4978840a190abe f</association>
> <modify-attr attr-name="physicalDeliveryOfficeName">
> <remove-value>
> <value timestamp="1338380200#6" type="string">oiujsfdg</value>
> </remove-value>
> <add-value>
> <value timestamp="1338381590#8" type="string">north</value>
> </add-value>
> </modify-attr>
> <modify-attr attr-name="title">
> <remove-value>
> <value timestamp="1338380200#4" type="string">sdhs</value>
> </remove-value>
> <add-value>
> <value timestamp="1338381590#4" type="string">senior</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> DirXML: [05/30/12 09:39:51.36]: Loader: Calling
> subscriptionShim->execute()
> DirXML: [05/30/12 09:39:51.36]: Loader: XML Document:
> DirXML: [05/30/12 09:39:51.36]:<nds dtdversion="4.0"
> ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <modify cached-time="20120530123950.850Z" class-name="user"
> event-id="novell#20120530123950#1#1:eda4cdd0-5753-4437-45b8-d0cda4ed5357"
> qualified-src-dn="O=data\CN=idmprueba4" src-dn="\BAPRO\data\idmprueba4"
> src-entry-id="33450" timestamp="1338381590#8">
> <association
> state="associated">e550918f562dc646b4978840a190abe f</association>
> <modify-attr attr-name="physicalDeliveryOfficeName">
> <remove-value>
> <value timestamp="1338380200#6" type="string">oiujsfdg</value>
> </remove-value>
> <add-value>
> <value timestamp="1338381590#8" type="string">north</value>
> </add-value>
> </modify-attr>
> <modify-attr attr-name="title">
> <remove-value>
> <value timestamp="1338380200#4" type="string">sdhs</value>
> </remove-value>
> <add-value>
> <value timestamp="1338381590#4" type="string">senior</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> DirXML: [05/30/12 09:39:51.36]: ADDriver: parse command
>
> className user
> destDN
> eventId
> novell#20120530123950#1#1:eda4cdd0-5753-4437-45b8-d0cda4ed5357
> association e550918f562dc646b4978840a190abef
> DirXML: [05/30/12 09:39:51.36]: ADDriver: parse modify class = user
> DirXML: [05/30/12 09:39:51.36]: ADDriver: association
> DirXML: [05/30/12 09:39:51.36]: ADDriver:
> e550918f562dc646b4978840a190abef
> DirXML: [05/30/12 09:39:51.36]: ADDriver: modify-attr
> DirXML: [05/30/12 09:39:51.36]: ADDriver: remove-value
> DirXML: [05/30/12 09:39:51.36]: ADDriver: value
> DirXML: [05/30/12 09:39:51.36]: ADDriver: oiujsfdg
> DirXML: [05/30/12 09:39:51.36]: ADDriver: add-value
> DirXML: [05/30/12 09:39:51.36]: ADDriver: value
> DirXML: [05/30/12 09:39:51.36]: ADDriver: north
> DirXML: [05/30/12 09:39:51.36]: ADDriver: modify-attr
> DirXML: [05/30/12 09:39:51.36]: ADDriver: remove-value
> DirXML: [05/30/12 09:39:51.36]: ADDriver: value
> DirXML: [05/30/12 09:39:51.36]: ADDriver: sdhs
> DirXML: [05/30/12 09:39:51.36]: ADDriver: add-value
> DirXML: [05/30/12 09:39:51.36]: ADDriver: value
> DirXML: [05/30/12 09:39:51.36]: ADDriver: senior
> DirXML: [05/30/12 09:39:51.36]: ADDriver: Connect using ldap_bind:
> user=administrator, domain=, password=***, method=negotiate,
> server=NXCAAD.nxcalab.intra, sign=no, seal=no ssl=yes
> DirXML: [05/30/12 09:39:51.37]: ADDriver: ldap_bind connection
> succeeded
> DirXML: [05/30/12 09:39:51.37]: ADDriver: ldap_modify user CN=idm
> prueba4,CN=Users,DC=nxcalab,DC=intra
> LDAPMod operations:
> delete attribute physicalDeliveryOfficeName
>>> oiujsfdg

> add attribute physicalDeliveryOfficeName
>>> north

> delete attribute title
>>> sdhs

> add attribute title
>>> senior

> DirXML: [05/30/12 09:39:51.37]: Loader: subscriptionShim->execute()
> returned:
> DirXML: [05/30/12 09:39:51.37]: Loader: XML Document:
> DirXML: [05/30/12 09:39:51.37]:<nds ndsversion="8.7"
> dtdversion="1.1">
> <source>
> <product version="3.5.14" asn1id="" build="20110211_120000"
> instance="\BAPRO\system\driverset1\Active Directory
> Driver">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <status level="success"
> event-id="novell#20120530123950#1#1:eda4cdd0-5753-4437-45b8-d0cda4ed5357"/>
> </output>
> </nds>
> DirXML: [05/30/12 09:39:51.37]:
> DirXML Log Event -------------------
> Driver = \BAPRO\system\driverset1\Active Directory Driver
> Thread = Subscriber Channel
> Object = \BAPRO\data\idmprueba4
> Level = success
> DirXML: [05/30/12 09:40:40.81]: Loader: Received document from
> publicationShim
> DirXML: [05/30/12 09:40:40.81]: Loader: XML Document:
> DirXML: [05/30/12 09:40:40.81]:<nds dtdversion="2.2">
> <source>
> <product version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <status level="success" type="heartbeat"/>
> </input>
> </nds>
> DirXML: [05/30/12 09:40:40.81]: Loader: Received 'publisher reply'
> document
> DirXML: [05/30/12 09:40:40.81]: Loader: XML Document:
> DirXML: [05/30/12 09:40:40.81]:<nds dtdversion="4.0"
> ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <status event-id="0" level="success"></status>
> </output>
> </nds>
> DirXML: [05/30/12 09:40:40.81]: Loader: DirXML returned:
> DirXML: [05/30/12 09:40:40.81]: Loader: XML Document:
> DirXML: [05/30/12 09:40:40.81]:<nds dtdversion="4.0"
> ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <status event-id="0" level="success"></status>
> </output>
> </nds>
> DirXML: [05/30/12 09:40:40.81]:
> DirXML Log Event -------------------
> Driver = \BAPRO\system\driverset1\Active Directory Driver
> Thread = Publisher Channel
> Level = success
> DirXML: [05/30/12 09:40:40.81]: ADDriver: Publisher Poll
> DirXML: [05/30/12 09:40:40.81]: ADDriver: get object changes - 0x0000
> DirXML: [05/30/12 09:40:40.81]: ADDriver: process object change entry
> DirXML: [05/30/12 09:40:40.81]: ADDriver: Processing change from AD:
> isDeleted: NULL, whenCreated NULL, name NULL
> DirXML: [05/30/12 09:40:40.83]: ADDriver: Publisher MODIFY
> DirXML: [05/30/12 09:40:40.83]: ADDriver: Publisher Modify-
> effectiveClassQuery dn=CN=idm prueba4,CN=Users,DC=nxcalab,DC=intra
> className=user
> DirXML: [05/30/12 09:40:40.83]: ADDriver: accountExpires
> DirXML: [05/30/12 09:40:40.83]: ADDriver: description
> DirXML: [05/30/12 09:40:40.83]: ADDriver: dirxml-uACAccountDisable
> DirXML: [05/30/12 09:40:40.83]: ADDriver: displayName
> DirXML: [05/30/12 09:40:40.83]: ADDriver: facsimileTelephoneNumber
> DirXML: [05/30/12 09:40:40.83]: ADDriver: givenName
> DirXML: [05/30/12 09:40:40.83]: ADDriver: initials
> DirXML: [05/30/12 09:40:40.83]: ADDriver: l
> DirXML: [05/30/12 09:40:40.83]: ADDriver: logonHours
> DirXML: [05/30/12 09:40:40.83]: ADDriver: mail
> DirXML: [05/30/12 09:40:40.83]: ADDriver: physicalDeliveryOfficeName
> DirXML: [05/30/12 09:40:40.83]: ADDriver: postOfficeBox
> DirXML: [05/30/12 09:40:40.83]: ADDriver: postalCode
> DirXML: [05/30/12 09:40:40.83]: ADDriver: sAMAccountName
> DirXML: [05/30/12 09:40:40.83]: ADDriver: sn
> DirXML: [05/30/12 09:40:40.83]: ADDriver: st
> DirXML: [05/30/12 09:40:40.83]: ADDriver: streetAddress
> DirXML: [05/30/12 09:40:40.83]: ADDriver: telephoneNumber
> DirXML: [05/30/12 09:40:40.83]: ADDriver: title
> DirXML: [05/30/12 09:40:40.83]: ADDriver: userPrincipalName
> DirXML: [05/30/12 09:40:40.83]: Loader: Received document from
> publicationShim
> DirXML: [05/30/12 09:40:40.83]: Loader: XML Document:
> DirXML: [05/30/12 09:40:40.83]:<nds dtdversion="2.2">
> <source>
> <product version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <modify class-name="user" event-id="Active Directory
> Driver##1379dc3247f##0" src-dn="CN=idm
> prueba4,CN=Users,DC=nxcalab,DC=intra">
> <association>e550918f562dc646b4978840a190abef</association>
> <modify-attr attr-name="physicalDeliveryOfficeName">
> <remove-all-values/>
> <add-value>
> <value type="string" naming="false">north</value>
> </add-value>
> </modify-attr>
> <modify-attr attr-name="title">
> <remove-all-values/>
> <add-value>
> <value type="string" naming="false">senior</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> DirXML: [05/30/12 09:40:40.86]: Loader: Received 'publisher reply'
> document
> DirXML: [05/30/12 09:40:40.86]: Loader: XML Document:
> DirXML: [05/30/12 09:40:40.86]:<nds dtdversion="4.0"
> ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <status event-id="Active Directory Driver##1379dc3247f##0"
> level="success"><application>DirXML</application>
> <module>Active Directory Driver</module>
> <object-dn>CN=idm prueba4,CN=Users,DC=nxcalab,DC=intra
> (data\idmprueba4)</object-dn>
> <component>Publisher</component>
> <operation-data
> AccountTracking-association="e550918f562dc646b4978840a190abef"/>
> </status>
> </output>
> </nds>
> DirXML: [05/30/12 09:40:40.86]: Loader: DirXML returned:
> DirXML: [05/30/12 09:40:40.86]: Loader: XML Document:
> DirXML: [05/30/12 09:40:40.86]:<nds dtdversion="4.0"
> ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <status event-id="Active Directory Driver##1379dc3247f##0"
> level="success"><application>DirXML</application>
> <module>Active Directory Driver</module>
> <object-dn>CN=idm prueba4,CN=Users,DC=nxcalab,DC=intra
> (data\idmprueba4)</object-dn>
> <component>Publisher</component>
> <operation-data
> AccountTracking-association="e550918f562dc646b4978840a190abef"/>
> </status>
> </output>
> </nds>
> DirXML: [05/30/12 09:40:40.86]:
> DirXML Log Event -------------------
> Driver = \BAPRO\system\driverset1\Active Directory Driver
> Thread = Publisher Channel
> Object = CN=idm prueba4,CN=Users,DC=nxcalab,DC=intra
> Level = success
> Message =<application>DirXML</application>
> <module>Active Directory Driver</module>
> <object-dn>CN=idm prueba4,CN=Users,DC=nxcalab,DC=intra
> (data\idmprueba4)</object-dn>
> <component>Publisher</component>
> <operation-data
> AccountTracking-association="e550918f562dc646b4978840a190abef"/>
> DirXML: [05/30/12 09:40:40.86]: Loader: Received document from
> publicationShim
> DirXML: [05/30/12 09:40:40.86]: Loader: XML Document:
> DirXML: [05/30/12 09:40:40.86]:<nds dtdversion="2.2">
> <source>
> <product version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <init-params>
> <publisher-state>
> <cookie>TVNEUwMAAADDbTKFfj7NAQAAAAAAAAAAKAAAAIyRBQ AAAAAAAAAAAAAAAACMkQUAAAAAANpFWtYom7dBqEaBMd3m7TkB AAAAAAAAAAEAAAAAAAAA2kVa1iibt0GoRoEx3ebtOYyRBQAAAA AA</cookie>
> </publisher-state>
> </init-params>
> </input>
> </nds>
> DirXML: [05/30/12 09:40:40.86]: Loader: Writing driver state to file
> DirXML: [05/30/12 09:40:40.86]: Loader: Document consists only of
> state; not sending to remote side
> DirXML: [05/30/12 09:40:40.86]: Loader: Returning to publisher:
> DirXML: [05/30/12 09:40:40.86]: Loader: XML Document:
> DirXML: [05/30/12 09:40:40.86]:<nds ndsversion="8.6"
> dtdversion="1.0">
> <output>
> <status level="success"/>
> </output>
> </nds>
> DirXML: [05/30/12 09:40:40.86]: ADDriver: object changes complete
>
> can someone help me to resolve this error and unlock AD accounts?
>
> Thanks!
>
>